Why the EU Has Issued Relatively Few Data Protection Adequacy Determinations? A Reply

A January 2, 2017 commentary by Ariel Teshuva raises an intriguing question. While the European Commission is vested with the authority under Article 25(6) of the Data Protection Directive to issue data protection adequacy determinations—a declaration that a given jurisdiction outside the EU provides adequate legal protection for personal data—why have so few been adopted?

In reviewing this question, Teshuva finds the content of the current list of 12 adequacy decisions difficult to explain. She also wonders how it is that large technology and banking firms based in countries without an adequacy determination remain able to continue significant trading relationships with Europe.

In this post, I will suggest that while the list of 12 territories that benefit from adequacy decisions is heterogeneous, the membership list remains easy to explain. I will also suggest that it is understandable that many other jurisdictions remain absent from the list. Finally, I will provide some thoughts on how multinationals from third-party jurisdictions that do not benefit from adequacy determinations nonetheless maintain healthy European operations.

Members of the Free Movement of Personal Data Club

Let’s first review a list of places where personal data can move freely without concern over the EU’s data export restrictions. As of December 31, 2016, there are 31 member states of the EU and EEA. Data export restrictions (required by Article 25 of the Directive) simply do not apply when personal data move among and between these 31 member states. When we add the 12 current adequacy decisions to this list (including the EU-US Privacy Shield arrangement), it brings the total number of states and territories in the free movement club to 43. This already represents a sizeable percentage of the world’s developed economies. While more than 150 sovereign states remain outside the club, only six of those absent (Australia, Chile, Japan, South Korea, Mexico, and Turkey) are in the 35-member OECD.

As Teshuva points out, an adequacy determination only results after a request by a third party territory. Each of these 12 territories therefore must have believed that it was in their strategic interests to make such an application, and they presumably graded their chances of success as relatively good.

Half of the current adequacy decisions (six) apply to territories in Europe. Four of these concern island-dependent territories of EU member states (Faroe Islands, Isle of Man, Guernsey, and Jersey). These should not come as a surprise. Each of these four island territories enjoys strong commercial and legal ties to their nearby states, and can easily benefit from technical assistance in reviewing and revising laws. Equally important, each has a small political community. Their legislatures can maneuver quickly to adopt or revise public law as needed to address whatever issue might otherwise impede trade. The remaining two European decisions apply to European states with a significant international retail financial services sector, and that are geographically sandwiched in the middle of EU member states (Andorra and Switzerland).

Of the six non-European adequacy decisions, four constitute findings of general legal adequacy (Argentina, 2003; Israel, 2011; Uruguay; 2012; and New Zealand, 2013). As in the case of the six decisions applicable to European territories, each of these jurisdictions demonstrated that their domestic laws are sufficiently close to EU data protection principles to provide adequate protection to data subjects. Each of these states, presumably, decided that obtaining such a determination was in their strategic interests. Of the three most recent cases, for example, Uruguay is reported to have made the move in an effort to attract business from Europe (and possibly to divert business from neighbouring and equally “adequate” Argentina) that includes a large personal data processing component such as call centres, financial services, and telemedicine.

The Unusual Compromises for North America

The remaining two adequacy decisions, applicable to North America, are more complicated. Neither is based on a finding of general legal adequacy.

The decision applicable to Canada (2001) is a limited finding that applies only to exports of personal data to a class of data recipients that are clearly regulated by their home state data protection law. Notably, the Canadian government itself and Canadian not-for-profit organisations are not included within the scope of this decision. These entities are not regulated by Canada’s general data protection legislation. One can easily imagine the conflicting pressures faced by Canada in negotiating its adequacy decision 15 years ago. An EU finding of general adequacy would have required Canada to expand the scope of its domestic data protection law to include government agencies and not-for-profit organisations. One presumes that this was not politically achievable, and so Canada and the EU reached a compromise with a finding of partial adequacy to enable free movement of personal data in the (adequately regulated) Canadian for-profit business sector.

Finally, we reach the United States. Unlike any of the other 11 territories with current adequacy determinations, the US does not have any generalized system of data protection legislation. The US also seems highly unlikely to adopt any such general legislation in the foreseeable future. Such a move would almost certainly disrupt a wide variety of domestic US business practices ranging from consumer-directed activities like direct mail advertising, online advertising, financial services, consumer activity monitoring, and credit scoring, to more intrusive activities such as workplace drug testing. For the foreseeable future, I cannot envision a set of circumstances that would naturally lead the US Congress to agree to a sweeping new data protection regime sufficiently broad to meet EU standards.

In seeking an EU adequacy decision, the US took an approach which remains unparalleled. This approach gives US domestic firms the option (not the obligation) to become regulated in accordance with EU data protection principles. This was the approach taken with the (now invalidated) Safe Harbour arrangement in 2000. It remains the approach adopted in 2016 for the new US-EU Privacy Shield arrangement. Both sets of negotiations required significant investment of time and effort by the governments of the US and EU.

Motivations for the US to Apply for a Limited Determination

It seems to me that the real question is not, “Why are there so few adequacy determinations?”. That’s easy. Obtaining a finding of general legal adequacy normally requires the applicant territory to demonstrate that its domestic law adheres extremely closely to EU data protection principles. Outside of Europe, the only jurisdictions that have taken the time and effort to do so (other than the US) are those that have broadly adopted these same principles into their domestic law, and that believe (rightly or wrongly) that such an adequacy decision will be of strategic value.

The better question is: why did the US, a jurisdiction that is not prepared to adopt EU-style privacy legislation, bother to seek an adequacy determination, given the enormous transaction costs involved in negotiating a custom-made regulatory regime? For that matter, why did the European Commission entertain, and dedicate significant resources to dealing with, such an unusual request?

I believe the desire of the US to apply for special treatment is directly related to the scale of business conducted by US firms based on, or enhanced by, transfers of personal data out of the European data protection zone (i.e., the European Economic Area plus the six European territories that benefit from adequacy findings).

Teshuva appears to dismiss this argument that the size of the home state business sector is a predictor of home state requests for adequacy determinations. She notes that while 7 of the world’s 10 largest technology companies are based in the US, many other major tech companies are based in other large jurisdictions like China and South Korea. I find this unpersuasive. The focus for assessing the size of home state business (and thus the strategic pressure upon a home state government to seek an adequacy determination) must begin with a focus on provision of services rather than products—specifically, services which are likely to involve the export of personal data back to the supplier. One of the most significant examples is the supply of cloud services (SaaS, Paas, or IaaS) to Europe using infrastructure, or management control of infrastructure, located outside Europe.

By adopting the Forbes list of the world’s largest technology companies as an indicator of significant action in the personal data space, Teshuva implicitly equates the financial weight of large international cloud services companies like Microsoft and Google, with that of predominantly product-based companies like Samsung and Huawei. These latter companies often form part of an upstream supply chain or predominantly follow channel partner strategies with fewer direct connections to European data subjects. This is like comparing apples and oranges, or in this case, actually comparing Apple with Foxconn.

A better indicator for assessing the strategic imperative for free movement of personal data is to examine the market for software as a service (SaaS). A SaaS provider routinely receives customer data into its system and is asked to analyze and report on this same data. SaaS customers repose a tremendous amount of trust in their SaaS provider. An interesting picture emerges here. American firms comprise 37 of the 40 most influential SaaS companies (as reported in Montclare SaaS 250, retrieved January 9, 2017). Of the three non-US firms in the top 40, two are based in the EU and one is in Australia. (From the Forbes top 10 tech list cited by Teshuva, only three, all Americans, appear in the same top 40: Google at 3rd place, Oracle at 15th, and Microsoft at 27th.)

SaaS offerings represent some of the highest value-add propositions in information technology today. They also require wholesale transfer of data into the hands of the service provider. The US is leading the world in developing and deploying these services. It’s not surprising that the US government is motivated to preserve and promote the global prospects of these and similar businesses, especially with the European Union (which collectively constitutes the single largest destination market for ICT services, and potentially ICT-enabled services, exported from the US). It’s equally unsurprising that the EU wants to enable its resident businesses to benefit from these same service offerings.

Growing Pressure for a US-EU Solution

When the original US-EU Safe Harbour arrangement was adopted in 2000, SaaS was not the order of the day. In 2000 there was no immediate rush by US companies to sign up. It was more of a slow, deliberate walk.

Over time, customers in the European data protection zone began to appreciate more clearly their own compliance responsibilities. These same European customers in turn began exerting increased pressure on their non-European data processing suppliers, often based in North America, for an easy-to-use compliance solution.

Over the course of 15 years, a growing number of US boards of directors were slowly convinced of the business value of embracing this system of voluntary regulation. They were increasingly weary of the added transaction costs created in establishing alternative safeguards, such as executing standard form export contract clauses with each of their customers. New market entrants in the burgeoning field of international SaaS were generally faster to adopt this solution. For agile cloud service providers, anything that adds to the complexity of concluding service contracts (such as a series of questions from customer data protection compliance officers and legal departments) is deadly to the success of the business model.

By the time the Safe Harbour arrangement was invalidated in 2015 more than 3,000 US firms had signed up. The demand from US (and European) industry for a replacement solution in 2016 was undoubtedly much higher than in 2000. It is no wonder that the US Commerce Department (and the European Commission) spent so very much time developing the new and expanded Privacy Shield system.

European customers of US services businesses want a continued, simple method to assure compliance with the export principle. It only remains to be seen whether the US and EU have achieved a balance that will meet the now-heightened scrutiny of the European Court of Justice.

Absent Friends

Teshuva also asks, “How are the firms from nations not on the [adequacy] list still conducting business with the EU?”

The simple answer is, “Because they can.”

Keep in mind that while Article 25(4) of the Data Protection Directive gives the European Commission authority to prohibit transfers to territories that lack adequate protection, the Commission has not used this authority to “blacklist” any territories. In theory, at least, personal data can (with adequate safeguards) be exported anywhere on earth.

Moreover, the data exporting firm itself is primarily responsible for compliance. It must satisfy itself that it is sending personal data to places that guarantee adequate protection, or employ adequate safeguards in connection with the transfer.

In addition, a given technology supplier’s product and service portfolio may not rely significantly upon receipt of personal data. Such firms will face fewer demands from European customers for adequacy solutions.

When exports of personal data do form a core part of business activity, there are (as Teshuva acknowledges) alternative, private law, adequacy measures that can substitute for state law adequacy. To take a common example, in the delivery of call center services from India to the United Kingdom, the UK business customer (exporting personal data to India) can invest the time necessary to assure adequate safeguards using standard contract clauses. When UK financial institutions off-shore customer support centers, they often invest significantly in data protection supervisory and audit functions as part of their supplier governance process.

Binding corporate rules (BCR) have become a preferred solution for multinational firms that wish to transfer their own business data seamlessly intra-group. BCRs are additionally being adopted by data processing firms as a means of facilitating transfers of their customer’s data. (Salesforce, a leading SaaS provider, is both an early adopter of data processor BCRs as well as electing to be regulated via Privacy Shield.) Although BCRs are expensive and time-consuming to establish, they provide a regulator-recognised compliance tool that can be highly individualized to the needs of a corporate group.

Multinational suppliers that wish to grow their personal data processing services market can also pursue a strategy of data localization. Localization is simply the process of delivering cloud services from servers that are located, and managed from, inside the customer’s territory. Cloud services customers are increasingly aware that deployment on a “foreign” cloud exposes their business to potential jurisdictional risk from “foreign” sovereigns. While data localization increases costs of supply, many cloud service providers are already making these localization investments and may be pursuing a long-term localization strategy in major markets.

There are many other circumstances when personal data can depart Europe—most notably when the data subject herself gives consent or when the export of data is necessary to fulfil a contract with the data subject. Teshuva raises the case of a large international bank based in Asia (where no adequacy determination applies) and asks how the bank can conduct business in Europe. Although I do not know what that bank’s specific compliance strategy is, it could (if it wished) agree to terms of business whereby their customers consent to processing personal data outside of Europe. It may also be the case that customers of that bank, who primarily wish to facilitate business dealings in the territory of the bank’s Asian headquarters, appreciate that the bank will need to transfer personal data to achieve the customer’s business goals. For that matter, the bank group might make use of standard export clauses applied pursuant to intra-group contracts or it might limit processing of its European customer’s personal data to its European group companies operating from European data processing facilities. The bank can choose from among many compliance strategies.

Bottom Line

States that perceive a significant strategic value in enabling the free movement of personal data from Europe to their own domestic firms, and whose legal systems closely mirror European standards, might continue to apply for adequacy decisions.

As the world leader in international cloud service delivery (especially SaaS delivery), it is little wonder that the US government wants to do whatever it can to facilitate the free and easy movement of personal data from the European data protection zone: its single largest export market for ICT services. The US is unable to request a finding of general legal adequacy as its legal system is too dissimilar to EU standards. It has, instead, negotiated a highly unusual opt-in regulatory regime which serves as the basis of a limited adequacy finding.

In the meantime, there is growing pressure, both within Europe and elsewhere, for data localization. Customers increasingly demand that sovereign jurisdiction over their data remain solely within their home territory. If this trend continues, it will produce continued in-country investment in ICT service delivery infrastructure wherever major customer demand is present.

As data center infrastructure and management become ubiquitous throughout the world, the entire issue of transnational data movement may eventually diminish in importance. Only time will tell.

Robert Carolina is the Executive Director of the Institute for Cyber Security Innovation at Royal Holloway University of London, where he also lectures on legal and regulatory aspects of cyber security. He is a graduate of the University of Dayton, Georgetown University Law Center, and the London School of Economics, and has more than two decades’ experience as a practitioner of ICT law.